Commit 415453f3 authored by Michał Zając's avatar Michał Zając

Introduce Security::VulnerabilityUUID helper

This helper will prevent wrong order when calculating UUIDv5 for
Vulnerabilities
parent 91e7e999
# frozen_string_literal: true
module Security
class VulnerabilityUUID
def self.generate(report_type:, primary_identifier_fingerprint:, location_fingerprint:, project_id:)
Gitlab::UUID.v5("#{report_type}-#{primary_identifier_fingerprint}-#{location_fingerprint}-#{project_id}")
end
end
end
...@@ -369,7 +369,16 @@ module Vulnerabilities ...@@ -369,7 +369,16 @@ module Vulnerabilities
# We will eventually have only UUIDv5 values for the `uuid` # We will eventually have only UUIDv5 values for the `uuid`
# attribute of the finding records. # attribute of the finding records.
def uuid_v5 def uuid_v5
Gitlab::UUID.v5?(uuid) ? uuid : Gitlab::UUID.v5(uuid_v5_name) if Gitlab::UUID.v5?(uuid)
uuid
else
::Security::VulnerabilityUUID.generate(
report_type: report_type,
primary_identifier_fingerprint: primary_identifier.fingerprint,
location_fingerprint: location_fingerprint,
project_id: project_id
)
end
end end
def pipeline_branch def pipeline_branch
...@@ -391,14 +400,5 @@ module Vulnerabilities ...@@ -391,14 +400,5 @@ module Vulnerabilities
project_fingerprint: project_fingerprint project_fingerprint: project_fingerprint
} }
end end
def uuid_v5_name
[
report_type,
primary_identifier.fingerprint,
location_fingerprint,
project_id
].join('-')
end
end end
end end
...@@ -180,9 +180,12 @@ module Gitlab ...@@ -180,9 +180,12 @@ module Gitlab
return return
end end
name = uuid_v5_name_components.values.join('-') ::Security::VulnerabilityUUID.generate(
report_type: uuid_v5_name_components[:report_type],
Gitlab::UUID.v5(name) primary_identifier_fingerprint: uuid_v5_name_components[:primary_identifier_fingerprint],
location_fingerprint: uuid_v5_name_components[:location_fingerprint],
project_id: uuid_v5_name_components[:project_id]
)
end end
end end
end end
......
...@@ -32,7 +32,12 @@ FactoryBot.define do ...@@ -32,7 +32,12 @@ FactoryBot.define do
severity { :high } severity { :high }
scan factory: :ci_reports_security_scan scan factory: :ci_reports_security_scan
sequence(:uuid) do |n| sequence(:uuid) do |n|
Gitlab::UUID.v5("#{report_type}-#{identifiers.first&.fingerprint}-#{location.fingerprint}-#{n}") ::Security::VulnerabilityUUID.generate(
report_type: report_type,
primary_identifier_fingerprint: identifiers.first&.fingerprint,
location_fingerprint: location.fingerprint,
project_id: n
)
end end
skip_create skip_create
......
...@@ -48,7 +48,12 @@ FactoryBot.define do ...@@ -48,7 +48,12 @@ FactoryBot.define do
location_fingerprint { SecureRandom.hex(20) } location_fingerprint { SecureRandom.hex(20) }
report_type { :sast } report_type { :sast }
uuid do uuid do
Gitlab::UUID.v5("#{report_type}-#{primary_identifier.fingerprint}-#{location_fingerprint}-#{project_id}") Security::VulnerabilityUUID.generate(
report_type: report_type,
primary_identifier_fingerprint: primary_identifier.fingerprint,
location_fingerprint: location_fingerprint,
project_id: project_id
)
end end
severity { :high } severity { :high }
confidence { :medium } confidence { :medium }
......
...@@ -163,10 +163,24 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -163,10 +163,24 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
describe 'setting the uuid' do describe 'setting the uuid' do
let(:finding_uuids) { report.findings.map(&:uuid) } let(:finding_uuids) { report.findings.map(&:uuid) }
let(:uuid_1_components) { "dependency_scanning-4ff8184cd18485b6e85d5b101e341b12eacd1b3b-33dc9f32c77dde16d39c69d3f78f27ca3114a7c5-#{pipeline.project_id}" } let(:uuid_1) do
let(:uuid_2_components) { "dependency_scanning-d55f9e66e79882ae63af9fd55cc822ab75307e31-33dc9f32c77dde16d39c69d3f78f27ca3114a7c5-#{pipeline.project_id}" } Security::VulnerabilityUUID.generate(
let(:uuid_1) { Gitlab::UUID.v5(uuid_1_components) } report_type: "dependency_scanning",
let(:uuid_2) { Gitlab::UUID.v5(uuid_2_components) } primary_identifier_fingerprint: "4ff8184cd18485b6e85d5b101e341b12eacd1b3b",
location_fingerprint: "33dc9f32c77dde16d39c69d3f78f27ca3114a7c5",
project_id: pipeline.project_id
)
end
let(:uuid_2) do
Security::VulnerabilityUUID.generate(
report_type: "dependency_scanning",
primary_identifier_fingerprint: "d55f9e66e79882ae63af9fd55cc822ab75307e31",
location_fingerprint: "33dc9f32c77dde16d39c69d3f78f27ca3114a7c5",
project_id: pipeline.project_id
)
end
let(:expected_uuids) { [uuid_1, uuid_2, nil] } let(:expected_uuids) { [uuid_1, uuid_2, nil] }
it 'sets the UUIDv5 for findings', :aggregate_failures do it 'sets the UUIDv5 for findings', :aggregate_failures do
......
...@@ -5,6 +5,8 @@ require 'spec_helper' ...@@ -5,6 +5,8 @@ require 'spec_helper'
require Rails.root.join('db', 'post_migrate', '20200910131218_remove_duplicated_cs_findings.rb') require Rails.root.join('db', 'post_migrate', '20200910131218_remove_duplicated_cs_findings.rb')
RSpec.describe RemoveDuplicatedCsFindings, :migration do RSpec.describe RemoveDuplicatedCsFindings, :migration do
include MigrationHelpers::VulnerabilitiesFindingsHelper
let(:migration) { 'RemoveDuplicateCsFindings'} let(:migration) { 'RemoveDuplicateCsFindings'}
let(:namespaces) { table(:namespaces) } let(:namespaces) { table(:namespaces) }
let(:notes) { table(:notes) } let(:notes) { table(:notes) }
...@@ -90,21 +92,16 @@ RSpec.describe RemoveDuplicatedCsFindings, :migration do ...@@ -90,21 +92,16 @@ RSpec.describe RemoveDuplicatedCsFindings, :migration do
end end
def finding_params(primary_identifier_id, project_id) def finding_params(primary_identifier_id, project_id)
attrs = attributes_for(:vulnerabilities_finding) # rubocop: disable RSpec/FactoriesInMigrationSpecs attrs = attributes_for_vulnerabilities_finding
{ custom_attrs = {
severity: 0, severity: 0,
confidence: 5, confidence: 5,
report_type: 2, report_type: 2,
project_id: project_id, project_id: project_id,
scanner_id: 6, scanner_id: 6,
primary_identifier_id: primary_identifier_id, primary_identifier_id: primary_identifier_id
project_fingerprint: attrs[:project_fingerprint],
location_fingerprint: Digest::SHA1.hexdigest(SecureRandom.hex(10)),
uuid: attrs[:uuid],
name: attrs[:name],
metadata_version: '1.3',
raw_metadata: attrs[:raw_metadata]
} }
attrs.merge(custom_attrs)
end end
def create_identifier(number_of) def create_identifier(number_of)
......
...@@ -131,12 +131,15 @@ RSpec.describe Security::StoreReportService, '#execute' do ...@@ -131,12 +131,15 @@ RSpec.describe Security::StoreReportService, '#execute' do
let!(:vulnerability) { create(:vulnerability, findings: [finding], project: project) } let!(:vulnerability) { create(:vulnerability, findings: [finding], project: project) }
let(:uuid_v5_components) do let(:desired_uuid) do
"#{finding.report_type}-#{finding.primary_identifier.fingerprint}-#{finding.location_fingerprint}-#{finding.project_id}" Security::VulnerabilityUUID.generate(
report_type: finding.report_type,
primary_identifier_fingerprint: finding.primary_identifier.fingerprint,
location_fingerprint: finding.location_fingerprint,
project_id: finding.project_id
)
end end
let(:desired_uuid) { Gitlab::UUID.v5(uuid_v5_components) }
let!(:finding_with_uuidv5) do let!(:finding_with_uuidv5) do
create(:vulnerabilities_finding, create(:vulnerabilities_finding,
pipelines: [pipeline], pipelines: [pipeline],
......
...@@ -61,16 +61,12 @@ module Gitlab ...@@ -61,16 +61,12 @@ module Gitlab
private private
def calculated_uuid def calculated_uuid
Gitlab::UUID.v5(uuid_components) ::Security::VulnerabilityUUID.generate(
end report_type: category,
primary_identifier_fingerprint: vulnerability_finding.primary_identifier.fingerprint,
def uuid_components location_fingerprint: vulnerability_finding.location_fingerprint,
[ project_id: project_id
category, )
vulnerability_finding.primary_identifier.fingerprint,
vulnerability_finding.location_fingerprint,
project_id
].join('-')
end end
def finding_key def finding_key
......
...@@ -27,12 +27,33 @@ RSpec.describe Gitlab::BackgroundMigration::PopulateFindingUuidForVulnerabilityF ...@@ -27,12 +27,33 @@ RSpec.describe Gitlab::BackgroundMigration::PopulateFindingUuidForVulnerabilityF
let(:finding_1) { finding_creator.call(sast_report, location_fingerprint_1) } let(:finding_1) { finding_creator.call(sast_report, location_fingerprint_1) }
let(:finding_2) { finding_creator.call(dast_report, location_fingerprint_2) } let(:finding_2) { finding_creator.call(dast_report, location_fingerprint_2) }
let(:finding_3) { finding_creator.call(secret_detection_report, location_fingerprint_3) } let(:finding_3) { finding_creator.call(secret_detection_report, location_fingerprint_3) }
let(:uuid_1_components) { ['sast', identifier.fingerprint, location_fingerprint_1, project.id].join('-') } let(:expected_uuid_1) do
let(:uuid_2_components) { ['dast', identifier.fingerprint, location_fingerprint_2, project.id].join('-') } Security::VulnerabilityUUID.generate(
let(:uuid_3_components) { ['secret_detection', identifier.fingerprint, location_fingerprint_3, project.id].join('-') } report_type: 'sast',
let(:expected_uuid_1) { Gitlab::UUID.v5(uuid_1_components) } primary_identifier_fingerprint: identifier.fingerprint,
let(:expected_uuid_2) { Gitlab::UUID.v5(uuid_2_components) } location_fingerprint: location_fingerprint_1,
let(:expected_uuid_3) { Gitlab::UUID.v5(uuid_3_components) } project_id: project.id
)
end
let(:expected_uuid_2) do
Security::VulnerabilityUUID.generate(
report_type: 'dast',
primary_identifier_fingerprint: identifier.fingerprint,
location_fingerprint: location_fingerprint_2,
project_id: project.id
)
end
let(:expected_uuid_3) do
Security::VulnerabilityUUID.generate(
report_type: 'secret_detection',
primary_identifier_fingerprint: identifier.fingerprint,
location_fingerprint: location_fingerprint_3,
project_id: project.id
)
end
let(:finding_creator) do let(:finding_creator) do
-> (report_type, location_fingerprint) do -> (report_type, location_fingerprint) do
findings.create!( findings.create!(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment